Skip to content

Bump the php-prod group across 1 directory with 9 updates#602

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/php-prod-1fbd8947cd
Open

Bump the php-prod group across 1 directory with 9 updates#602
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/php-prod-1fbd8947cd

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the php-prod group with 8 updates in the / directory:

Package From To
doctrine/doctrine-bundle 2.18.1 2.18.3
doctrine/orm 3.5.8 3.6.7
jms/translation-bundle 2.6.0 2.7.0
nelmio/security-bundle 3.6.0 3.9.0
pagerfanta/pagerfanta 4.7.2 4.8.0
ramsey/uuid 4.9.2 4.9.3
twig/extra-bundle 3.22.2 3.24.0
twig/intl-extra 3.22.1 3.26.0

Updates doctrine/doctrine-bundle from 2.18.1 to 2.18.3

Release notes

Sourced from doctrine/doctrine-bundle's releases.

2.18.3

Release Notes for 2.18.3

2.18.x bugfix release (patch)

2.18.3

  • Total issues resolved: 0
  • Total pull requests resolved: 3
  • Total contributors: 3

Bugfixes

CI

Documentation

2.18.2

Release Notes for 2.18.2

2.18.x bugfix release (patch)

2.18.2

  • Total issues resolved: 0
  • Total pull requests resolved: 9
  • Total contributors: 4

Bugfixes

Documentation

CI

... (truncated)

Commits
  • 241d61f Bump codecov/codecov-action from 6 to 7
  • d1013c3 remove form related services if the Form component is not installed
  • 1f7d0d5 Merge pull request #2228 from MatTheCat/lazy_entity_listener
  • e13fb5b Remove mention of lazy entity listeners
  • 79dd830 use complete version numbers in PHP requirements
  • 7a26a24 Merge pull request #2223 from doctrine/dependabot/github_actions/2.18.x/doctr...
  • 67d0146 Bump the doctrine group with 6 updates
  • 78f87b5 Bump codecov/codecov-action from 5 to 6
  • e09da41 Bump the doctrine group with 2 updates
  • cafee79 Bump ramsey/composer-install from 3 to 4
  • Additional commits viewable in compare view

Updates doctrine/orm from 3.5.8 to 3.6.7

Release notes

Sourced from doctrine/orm's releases.

3.6.7

This release contains the changes from https://github.com/doctrine/orm/releases/tag/2.20.13

3.6.6

Release Notes for 3.6.6

3.6.x bugfix release (patch)

3.6.6

  • Total issues resolved: 0
  • Total pull requests resolved: 3
  • Total contributors: 1

Bugfixes

CI

3.6.5

Release Notes for 3.6.5

3.6.x bugfix release (patch)

3.6.5

  • Total issues resolved: 0
  • Total pull requests resolved: 1
  • Total contributors: 1

Bugfixes

3.6.4

Release Notes for 3.6.4

3.6.x bugfix release (patch)

3.6.4

  • Total issues resolved: 0
  • Total pull requests resolved: 3
  • Total contributors: 3

Bugfixes

... (truncated)

Commits
  • bc217c0 Merge pull request #12486 from greg0ire/3.6.x
  • e75a435 Merge remote-tracking branch 'origin/2.20.x' into 3.6.x
  • f525f32 Merge pull request #12482 from greg0ire/fix-el-formatting
  • 4689337 Avoid passing arrays to get_class
  • 471b129 Merge pull request #12477 from greg0ire/avoid-overwrite
  • f2530f2 Merge pull request #12476 from greg0ire/def-expr-depr
  • 18977e0 Avoid adding the same foreign key twice for STI
  • 54b4f4b Address string default expression deprecation
  • 8b64c10 Merge pull request #12475 from greg0ire/fix-job-labels
  • fdea8dc Use correct matrix element name
  • Additional commits viewable in compare view

Updates jms/translation-bundle from 2.6.0 to 2.7.0

Release notes

Sourced from jms/translation-bundle's releases.

2.7.0

What's Changed

Full Changelog: schmittjoh/JMSTranslationBundle@2.6.0...2.7.0

Commits
  • 826b292 Merge pull request #623 from Steveb-p/fix-symfony-7.4-validator-extractor
  • 63e82c7 Enforce PHPStan version 11 to resolve conflict with simple-phpunit
  • eea34b2 Updated CI runner
  • 08a480b Use interface instead of implementation
  • 74143f9 Fixed Symfony 7.4 incompatibility
  • 7ae5197 Fixed Symfony 7.4 incompatibility
  • See full diff in compare view

Updates nelmio/security-bundle from 3.6.0 to 3.9.0

Release notes

Sourced from nelmio/security-bundle's releases.

v3.9.0

What's Changed

Full Changelog: nelmio/NelmioSecurityBundle@v3.8.0...v3.9.0

v3.8.0

What's Changed

Full Changelog: nelmio/NelmioSecurityBundle@v3.7.0...v3.8.0

v3.7.0

What's Changed

Full Changelog: nelmio/NelmioSecurityBundle@v3.6.0...v3.7.0

Commits
  • 86dd4d1 Merge pull request #389 from Spomky/feature/test-assertions
  • 0dc7667 feat(tests): Add PHPUnit assertions for security headers and update testing d...
  • 2fafee1 Merge pull request #372 from Spomky/features/cross-origin-policy
  • 63da27e Add Cross-Origin Policy feature with configurable headers (COEP, COOP, CORP)
  • 9389ec2 Merge pull request #388 from Spomky/deps-update
  • a0eac15 chore(ci): Add Symfony 8.5 to the continuous integration matrix
  • d702968 chore(deps): Update PHPStan and PHPUnit versions in composer.json
  • a1f20ea Merge pull request #386 from damienalexandre/symfony8
  • ee3d9f1 fix(ci): Bump Symfony 7 to 7.3 minimum
  • f42af6e feat(upgrade): Bump allowed Symfony version to 8
  • Additional commits viewable in compare view

Updates pagerfanta/pagerfanta from 4.7.2 to 4.8.0

Changelog

Sourced from pagerfanta/pagerfanta's changelog.

4.8.0 (2026-01-22)

  • Add support for doctrine/collections 3.x
Commits

Updates ramsey/uuid from 4.9.2 to 4.9.3

Release notes

Sourced from ramsey/uuid's releases.

4.9.3

Fixed

  • Upgrade brick/math to support versions ^0.14 to ^0.17; fixed in #638.
  • Add support for brick/match ^0.18.

New Contributors

Full Changelog: ramsey/uuid@4.9.2...4.9.3

Changelog

Sourced from ramsey/uuid's changelog.

4.9.3 - 2026-06-18

Fixed

  • Upgrade brick/math to support versions ^0.14 to ^0.17; fixed in #638.
  • Add support for brick/match ^0.18.
Commits
  • 1df1584 Prepare release 4.9.3
  • 5525d34 Upgrade PHPStan to 2.2 and remove superfluous assertion
  • 0d95f9e Support brick/math 0.18
  • 1a1f98b [4.x] Upgrade brick/math to support versions ^0.14–^0.17 (#638)
  • 3d1c6d9 chore(deps): bump codecov/codecov-action from 5 to 6
  • 39d47ce chore(deps): bump ramsey/composer-install from 3 to 4
  • See full diff in compare view

Updates twig/extra-bundle from 3.22.2 to 3.24.0

Release notes

Sourced from twig/extra-bundle's releases.

v3.24.0

Changelog (twigphp/twig-extra-bundle@v3.23.0...v3.24.0)

  • no significant changes

v3.23.0

No release notes provided.

Commits
  • 6a621fc Fix CS
  • 7a27e78 minor #4718 Add .gitignore & .gitattributes to all .gitattributes (jmsche)
  • 8f6488a Add .gitignore & .gitattributes to all .gitattributes
  • See full diff in compare view

Updates twig/intl-extra from 3.22.1 to 3.26.0

Release notes

Sourced from twig/intl-extra's releases.

v3.26.0

Changelog (twigphp/intl-extra@v3.23.0...v3.26.0)

v3.24.0

Changelog (twigphp/intl-extra@v3.23.0...v3.24.0)

  • no significant changes

v3.23.0

No release notes provided.

Commits
  • 98f5ad5 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
  • 32f15a3 Add null-safe operator
  • d79645e Fix intl-extra tests
  • c5da148 Add .gitignore & .gitattributes to all .gitattributes
  • See full diff in compare view

Updates twig/twig from 3.22.2 to 3.27.1

Release notes

Sourced from twig/twig's releases.

v3.27.1

Changelog (twigphp/Twig@v3.27.0...v3.27.1)

  • bug #4822 Fix inconsistent array access with a Stringable key (@​fabpot)
  • bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (@​fabpot)

v3.27.0

Changelog (twigphp/Twig@v3.26.0...v3.27.0)

  • security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@​fabpot)
  • security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@​fabpot)
  • security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@​fabpot)
  • security #535 Fix sandbox __toString bypasses via Traversable in join/replace filters and the in/not in operators (@​fabpot)
  • security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@​fabpot)
  • feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@​fabpot)
  • feature #4813 Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template (@​fabpot)
  • bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@​fabpot)
  • bug #4807 Escape root profile name in HtmlDumper (@​fabpot)
  • bug #4808 Restrict allowed classes in Profile::unserialize() (@​fabpot)
  • feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@​fabpot)

v3.26.0

Changelog (twigphp/Twig@v3.25.0...v3.26.0)

v3.25.0

Changelog (twigphp/Twig@v3.24.0...v3.25.0)

v3.24.0

Changelog (twigphp/Twig@v3.23.0...v3.24.0)

... (truncated)

Changelog

Sourced from twig/twig's changelog.

3.27.1 (2026-05-30)

  • Fix array access with a Stringable key to coerce the key to string consistently instead of throwing in the optimized path
  • Fix sandbox replacing IteratorAggregate arguments (e.g. Symfony's FormView) by a plain array

3.27.0 (2026-05-27)

  • Add a strict mode to Twig\Sandbox\SecurityPolicy to opt-in to the 4.0 behavior for the extends/use tags and the parent/block/attribute functions, which are otherwise still implicitly allowed in a sandbox
  • Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template
  • Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached Template instance
  • Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed ArrayAccess attribute access with a float key
  • Restrict allowed classes in Twig\Profiler\Profile::unserialize() to prevent arbitrary class instantiation
  • Escape root profile name in HtmlDumper
  • Fix sandbox bypass in deprecated internal wrappers twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() (src/Resources/core.php)
  • Deprecate the Twig\Sandbox\SourcePolicyInterface interface with no replacement
  • Fix sandbox bypass in the "column" filter when sandboxing is enabled via SourcePolicyInterface
  • Fix sandbox __toString bypass via Traversable arguments to the join and replace filters (also covers containers that implement both Stringable and Traversable)
  • Fix sandbox __toString bypass via the in and not in operators
  • Prevent a stack overflow in SandboxExtension::ensureToStringAllowed() when a self-referencing iterable is passed to a sandboxed template
  • Add support for any expression as a dynamic mapping key (attribute access, filters, ...)
  • Fix sandbox __toString policy bypass via dynamic mapping keys

3.26.0 (2026-05-20)

  • Document that the sandbox doesn't protect against resource exhaustion
  • Document template_from_string caveats when used in a sandboxed environment
  • Add docs on Markup about the goal of this class in the context of a sandbox
  • Pre-escape HTML input on the spaceless filter
  • Pre-escape HTML input on inline_css and inky_to_html filters
  • Fix XSS by adjusting is_safe annotation on HTML-emitting filters
  • [Profiler] Escape template and profile names in HtmlDumper
  • Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
  • Fix sandbox bypass in the "column" filter
  • Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
  • Fix sandbox bypass: PHP code injection via {% use %} template name
  • Fix sandbox bypass: PHP code injection via _self / import macro reference
  • Fix sandbox bypass in object destructuring assignment
  • Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
  • Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
  • Fix sandbox __toString bypasses
  • Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

3.25.0 (2026-05-17)

  • Add a needs_is_sandboxed option for filters, functions, and tests
  • Use deterministic suffixes for generated embed classes
  • Lazy-load EscaperRuntime in EscaperExtension

3.24.0 (2026-03-17)

... (truncated)

Commits
  • ae2071b Prepare the 3.27.1 release
  • 79884de bug #4822 Fix inconsistent array access with a Stringable key (fabpot)
  • 8ec9530 Fix inconsistent array access with a Stringable key
  • dfb5232 bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (f...
  • d25f98f Preserve IteratorAggregate identity in sandbox __toString walker
  • 118938b Fix tests
  • 86f3b3a Bump version
  • 04ae1bf Prepare the 3.27.0 release
  • 99a1038 security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox ...
  • 23eb6eb Fix sandbox filter/tag/function allow-list bypass when sandbox state changes ...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update Php code labels Jun 18, 2026
@dependabot
Bump the php-prod group across 1 directory with 9 updates
a4c1311 
Bumps the php-prod group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [doctrine/doctrine-bundle](https://github.com/doctrine/DoctrineBundle) | `2.18.1` | `2.18.3` |
| [doctrine/orm](https://github.com/doctrine/orm) | `3.5.8` | `3.6.7` |
| [jms/translation-bundle](https://github.com/schmittjoh/JMSTranslationBundle) | `2.6.0` | `2.7.0` |
| [nelmio/security-bundle](https://github.com/nelmio/NelmioSecurityBundle) | `3.6.0` | `3.9.0` |
| [pagerfanta/pagerfanta](https://github.com/BabDev/Pagerfanta) | `4.7.2` | `4.8.0` |
| [ramsey/uuid](https://github.com/ramsey/uuid) | `4.9.2` | `4.9.3` |
| [twig/extra-bundle](https://github.com/twigphp/twig-extra-bundle) | `3.22.2` | `3.24.0` |
| [twig/intl-extra](https://github.com/twigphp/intl-extra) | `3.22.1` | `3.26.0` |



Updates `doctrine/doctrine-bundle` from 2.18.1 to 2.18.3
- [Release notes](https://github.com/doctrine/DoctrineBundle/releases)
- [Commits](doctrine/DoctrineBundle@2.18.1...2.18.3)

Updates `doctrine/orm` from 3.5.8 to 3.6.7
- [Release notes](https://github.com/doctrine/orm/releases)
- [Commits](doctrine/orm@3.5.8...3.6.7)

Updates `jms/translation-bundle` from 2.6.0 to 2.7.0
- [Release notes](https://github.com/schmittjoh/JMSTranslationBundle/releases)
- [Changelog](https://github.com/schmittjoh/JMSTranslationBundle/blob/master/CHANGELOG.md)
- [Commits](schmittjoh/JMSTranslationBundle@2.6.0...2.7.0)

Updates `nelmio/security-bundle` from 3.6.0 to 3.9.0
- [Release notes](https://github.com/nelmio/NelmioSecurityBundle/releases)
- [Changelog](https://github.com/nelmio/NelmioSecurityBundle/blob/master/CHANGELOG.md)
- [Commits](nelmio/NelmioSecurityBundle@v3.6.0...v3.9.0)

Updates `pagerfanta/pagerfanta` from 4.7.2 to 4.8.0
- [Changelog](https://github.com/BabDev/Pagerfanta/blob/4.x/CHANGELOG.md)
- [Commits](BabDev/Pagerfanta@v4.7.2...v4.8.0)

Updates `ramsey/uuid` from 4.9.2 to 4.9.3
- [Release notes](https://github.com/ramsey/uuid/releases)
- [Changelog](https://github.com/ramsey/uuid/blob/4.x/CHANGELOG.md)
- [Commits](ramsey/uuid@4.9.2...4.9.3)

Updates `twig/extra-bundle` from 3.22.2 to 3.24.0
- [Release notes](https://github.com/twigphp/twig-extra-bundle/releases)
- [Commits](twigphp/twig-extra-bundle@v3.22.2...v3.24.0)

Updates `twig/intl-extra` from 3.22.1 to 3.26.0
- [Release notes](https://github.com/twigphp/intl-extra/releases)
- [Commits](twigphp/intl-extra@v3.22.1...v3.26.0)

Updates `twig/twig` from 3.22.2 to 3.27.1
- [Release notes](https://github.com/twigphp/Twig/releases)
- [Changelog](https://github.com/twigphp/Twig/blob/3.x/CHANGELOG)
- [Commits](twigphp/Twig@v3.22.2...v3.27.1)

---
updated-dependencies:
- dependency-name: doctrine/doctrine-bundle
  dependency-version: 2.18.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: php-prod
- dependency-name: doctrine/orm
  dependency-version: 3.6.7
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: php-prod
- dependency-name: jms/translation-bundle
  dependency-version: 2.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: php-prod
- dependency-name: nelmio/security-bundle
  dependency-version: 3.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: php-prod
- dependency-name: pagerfanta/pagerfanta
  dependency-version: 4.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: php-prod
- dependency-name: ramsey/uuid
  dependency-version: 4.9.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: php-prod
- dependency-name: twig/extra-bundle
  dependency-version: 3.24.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: php-prod
- dependency-name: twig/intl-extra
  dependency-version: 3.26.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: php-prod
- dependency-name: twig/twig
  dependency-version: 3.27.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: php-prod
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/composer/php-prod-1fbd8947cd branch from f7a59be to a4c1311 Compare June 23, 2026 12:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update Php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants